DORA regulations: what companies must do to comply

Security

February 2023

DORA regulations: everything you need to know

The DORA Regulation from January 17, 2025, will bind companies in the financial sectors to a set of cybersecurity and resilience requirements.

Recently, and increasingly frequently, the media have been reporting on hacker attacks carried out against major financial institutions and aimed at stealing sensitive data.

In order to counter such attacks, the European Union decided to present a package on digital finance, aimed at closing loopholes in current legislation and, at the same time, ensuring that the European legal framework did not hinder the use of new digital financial instruments.

Among the various regulations is precisely EU Regulation No. 2022/2554, more commonly known as “DORA” (Digital Operational Resilience Act) and concerning digital operational resilience for the financial sector.

The DORA Regulation went into effect on January 16, 2023, but recipients of the rule will have the opportunity to fulfill the many obligations by January 17, 2025.

Who are the recipients of the DORA Regulations?

As anticipated, the DORA Regulation was issued in the context of digital finance and, as a result, is aimed at a wide range of financial players, such as:

credit institutions, payment institutions, e-money institutions, investment firms, cryptocurrency service providers, central securities depositories, alternative investment fund managers, management companies, insurance and reinsurance companies, insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries, and institutions for occupational retirement provision, as well as information and communication technology (ICT) service providers.

What are the obligations that financial institutions will have to fulfill?

On the other hand, with regard to the main obligations imposed on the aforementioned individuals, an overall analysis of the normative dictate reveals numerous obligations.

Specifically, the same will be required to:

Manage ICT risk–adoptan internal governance and organizational framework, which ensures effective and prudent control of all ICT risks. P

Adopt a plan for managing cyber risks-identifyingtheir sources, implementing mechanisms aimed at detecting abnormal activity, and taking preventive measures, all through resilient ICT tools and systems, so as to limit the impact of any risks;

Third-party ICT risk management-ClassifyingICT vendor-related incidents and cyber threats based on the criteria established by the Community Legislature;

Reporting IT incidents-operatorswill be required to set up a reporting system through a process of monitoring, recording and managing incidents in order to notify the relevant authorities;

Conduct digital operational resilience testing-proportionateto the activity and size of the operator;

Information Sharing-Providefor information sharing protocols in order to incentivize the exchange of cyber threat intelligence. DORA provides, in detail, for the establishment of a program on a voluntary basis that would allow stakeholders to provide special arrangements for the exchange of cyber threat intelligence information.

In conclusion, although – as anticipated – the above-mentioned fulfillments can be completed until January 17, 2025, it seems clear that the expected amount of work is definitely significant and that practitioners must necessarily start proceeding as soon as possible, always keeping in mind the content of the previous legislation, with the preparation of the implementations required by the Regulation.